Mitigating security and privacy threats from untrusted application components on Android

Aufgrund von Androids datenzentrierter und Open-Source Natur sowie von fehlerhaften/bösartigen Apps durch das lockere Marktzulassungsverfahren, ist die Privatsphäre von Benutzern besonders gefährdet. Diese Dissertation präsentiert eine Reihe von Forschungsarbeiten, die die Bedrohung der Sicherheit/Privatsphäre durch nicht vertrauenswürdige Appkomponenten mindern. Die erste Arbeit stellt eine Compiler-basierte Kompartmentalisierungslösung vor, die Privilegientrennung nutzt, um eine starke Barriere zwischen der Host-App und Bibliothekskomponenten zu etablieren, und somit sensible Daten vor der Kompromittierung durch neugierige/bösartige Werbe-Bibliotheken schützt. Für fehleranfällige Bibliotheken von Drittanbietern implementieren wir in der zweiten Arbeit ein auf API-Kompatibilität basierendes Bibliothek-Update-Framework, das veraltete Bibliotheken durch Drop-Ins aktualisiert, um das durch Bibliotheken verursachte Zeitfenster der Verwundbarkeit zu minimieren. Die neueste Arbeit untersucht die missbräuchliche Nutzung von privilegierten Accessibility(a11y)-Funktionen in bösartigen Apps. Wir zeigen ein datenschutzfreundliches a11y-Framework, das die a11y-Logik wie eine Pipeline behandelt, die aus mehreren Modulen besteht, die in verschiedenen Sandboxen laufen. Weiterhin erzwingen wir eine Flusskontrolle über die Kommunikation zwischen den Modulen, wodurch die Angriffsfläche für den Missbrauch von a11y-APIs verringert wird, während die Vorteile von a11y erhalten bleiben.While Android’s data-intensive and open-source nature, combined with its less-than-strict market approval process, has allowed the installation of flawed and even malicious apps, its coarse-grained security model and update bottleneck in the app ecosystem make the platform’s privacy and security situation more worrying. This dissertation introduces a line of works that mitigate privacy and security threats from untrusted app components. The first work presents a compiler-based library compartmentalization solution that utilizes privilege separation to establish a strong trustworthy boundary between the host app and untrusted lib components, thus protecting sensitive user data from being compromised by curious or malicious ad libraries. While for vulnerable third-party libraries, we then build the second work that implements an API-compatibility-based library update framework using drop-in replacements of outdated libraries to minimize the open vulnerability window caused by libraries and we perform multiple dynamic tests and case studies to investigate its feasibility. Our latest work focuses on the misusing of powerful accessibility (a11y) features in untrusted apps. We present a privacy-enhanced a11y framework that treats the a11y logic as a pipeline composed of multiple modules running in different sandboxes. We further enforce flow control over the communication between modules, thus reducing the attack surface from abusing a11y APIs while preserving the a11y benefits

Understanding and measuring privacy violations in Android apps

Increasing data collection and tracking of consumers by today’s online services is becoming a major problem for individuals’ rights. It raises a serious question about whether such data collection can be legally justified under legislation around the globe. Unfortunately, the community lacks insight into such violations in the mobile ecosystem. In this dissertation, we approach these problems by presenting a line of work that provides a comprehensive understanding of privacy violations in Android apps in the wild and automatically measures such violations at scale. First, we build an automated tool that detects unexpected data access based on user perception when interacting with the apps’ user interface. Subsequently, we perform a large-scale study on Android apps to understand how prevalent violations of GDPR’s explicit consent requirement are in the wild. Finally, until now, no study has systematically analyzed the currently implemented consent notices and whether they conform to GDPR in mobile apps. Therefore, we propose a mostly automated and scalable approach to identify the current practices of implemented consent notices. We then develop an automatic tool that detects data sent out to the Internet with different consent conditions. Our result shows the urgent need for more transparent user interface designs to better inform users of data access and call for new tools to support app developers in this endeavor.Die zunehmende Datenerfassung und Verfolgung von Konsumenten durch die heutigen Online-Dienste wird zu einem großen Problem für individuelle Rechte. Es wirft eine ernsthafte Frage auf, ob eine solche Datenerfassung nach der weltweiten Gesetzgebung juristisch begründet werden kann. Leider hat die Gemeinschaft keinen Einblick in diese Verstöße im mobilen Ökosystem. In dieser Dissertation nähern wir uns diesen Problemen, indem wir eine Arbeitslinie vorstellen, die ein umfassendes Verständnis von Datenschutzverletzungen in Android- Apps in der Praxis bietet und solche Verstöße automatisch misst. Zunächst entwickeln wir ein automatisiertes Tool, das unvorhergesehene Datenzugriffe basierend auf der Nutzung der Benutzeroberfläche von Apps erkennt. Danach führen wir eine umfangreiche Studie zu Android-Apps durch, um zu verstehen, wie häufig Verstöße gegen die ausdrückliche Zustimmung der GDPR vorkommen. Schließlich hat bis jetzt keine Studie systematisch die gegenwärtig implementierten Zustimmungen und deren Übereinstimmung mit der GDPR in mobilen Apps analysiert. Daher schlagen wir einen meist automatisierten und skalierbaren Ansatz vor, um die aktuellen Praktiken von Zustimmungen zu identifizieren. Danach entwickeln wir ein Tool, das Daten erkennt, die mit unterschiedlichen Zustimmungsbedingungen ins Internet gesendet werden. Unser Ergebnis zeigt den dringenden Bedarf an einer transparenteren Gestaltung von Benutzeroberflächen, um die Nutzer besser über den Datenzugriff zu informieren, und wir fordern neue Tools, die App-Entwickler bei diesem Unterfangen unterstützen. ii

Eight years of rider measurement in the Android malware ecosystem: evolution and lessons learned

Despite the growing threat posed by Android malware, the research community is still lacking a comprehensive view of common behaviors and trends exposed by malware families active on the platform. Without such view, the researchers incur the risk of developing systems that only detect outdated threats, missing the most recent ones. In this paper, we conduct the largest measurement of Android malware behavior to date, analyzing over 1.2 million malware samples that belong to 1.2K families over a period of eight years (from 2010 to 2017). We aim at understanding how the behavior of Android malware has evolved over time, focusing on repackaging malware. In this type of threats different innocuous apps are piggybacked with a malicious payload (rider), allowing inexpensive malware manufacturing. One of the main challenges posed when studying repackaged malware is slicing the app to split benign components apart from the malicious ones. To address this problem, we use differential analysis to isolate software components that are irrelevant to the campaign and study the behavior of malicious riders alone. Our analysis framework relies on collective repositories and recent advances on the systematization of intelligence extracted from multiple anti-virus vendors. We find that since its infancy in 2010, the Android malware ecosystem has changed significantly, both in the type of malicious activity performed by the malicious samples and in the level of obfuscation used by malware to avoid detection. We then show that our framework can aid analysts who attempt to study unknown malware families. Finally, we discuss what our findings mean for Android malware detection research, highlighting areas that need further attention by the research community.Accepted manuscrip

iOS Technologies & Frameworks

Apple’s mobile platform — iOS — currently generates the largest amount of revenue out of all mobile app stores. The majority of iDevices run the latest major iOS version (iOS 10) due to Apple users’ tendency to update their devices. Consequently, iOS developers are pressured into keeping their apps up to date. Advantages to updating apps consist of new features and adapting apps to the platform’s hardware and software evolution. However, this does not always happen. There are apps, some popular (with many users), which either receive slow updates, or not at all. The main consequence of developers not updating to the latest tendencies (i.e. user interface or API changes) is the degradation of their apps’ user experience. This subpar user experience leads to a decrease in the number of installs (and sales) and a search for alternatives that have been updated to support the latest firmware iteration fully. We identified a common pattern amongst ten apps which have subpar reviews on the App Store: excessive battery consumption and lack of user onboarding were just a few of the ssues. Above all, almost all those apps belong to the top 1% of apps (which generate 94% of the App Store’s revenue), so the lack of focus on the user experience is unfortunate considering their massive user bases. We listed the available resources for those wanting to develop or improve iOS apps. Given these requisites, we studied the possibility of developing a mobile app that adopted good engineering practices and, above all, focused on delivering an excellent user experience in a given timeframe of six months. The app’s idea consisted of a wish list management app called Snapwish that allows the user to take photos of objects they want, create wish lists, and share them with family and friends. The app allows for offline usage, with data syncing automatically (in real-time) without user intervention when the app’s Internet connection is present. We tested Snapwish thoroughly to measure the quality of its implementation. Profiling helped assert that core metrics like CPU and memory usage, network data requests and energy consumption were within acceptable values while unit and user interface tests served to validate our code functionally. Furthermore, our team of five beta testers provided valuable feedback and suggestions. Ultimately, the six-month timeframe proved to be insufficient in regards to a release on the App Store, as Snapwish remains in the latter beta stages at the time of writing. This delay is mostly attributed to a lengthy testing process. Thus, we plan on releasing it in the first trimester of 2017.Hoje em dia, a plataforma móvel da Apple — iOS — é a que tem maior revenue em aplicações móveis. A maior parte dos dispositivos móveis iOS corre a versão mais atual (iOS 10), devido à tendência dos seus utilizadores em atualizar o sistema operativo com frequência. Consequentemente, os desenvolvedores da plataforma são pressionados para manterem as suas apps atualizadas. Algumas das vantagens das atualizações consiste em adicionar novas funcionalidades e adaptar as apps à evolução do hardware e do software da plataforma. Contudo, isto nem sempre e verifica. Existem muitas apps, algumas “populares” (com muitas instalações) cuja atualização demora ou não acontece. A principal consequência da não atualização das apps às tendências atuais, quer em termos de interação, quer em termos de mecanismos de proteção de dados, consumo de bateria e outros, é a degradação da experiência de quem as utiliza, consequentemente, a diminuição do número de instalações (e vendas) e a crescente procura de alternativas que tenham estes princípios em conta. Foi identificado um padrão comum em dez aplicações cujas classificações na App Store são medíocres: um consumo exagerado de bateria e falta de user onboarding foram apenas alguns dos problemas. Acima de tudo, quase todas pertencem ao 1% de aplicações que geram 94% das receitas da App Store. A falta de foco na experiência do utilizador é infeliz considerando as enormes bases de utilizadores dessas aplicações. Foram listados os recursos disponíveis para quem pretende desenvolver ou melhorar uma aplicação iOS. Dadas essas premissas, foi estudada a possibilidade de desenvolver uma aplicação móvel que adote boas práticas de engenharia e, acima de tudo, foque na experiência do utilizador, num período de seis meses. A ideia para a aplicação consistiu num gestor de listas de desejos designada Snapwish que permite tirar fotos de objetos que o utilizador deseja, criar listas, e partilhá-las com amigos e familiares. Além disso, a app permite o uso offline e os dados são sincronizados em tempo real sem intervenção do utilizador quando a app dispõe de uma conexão à Internet. A nossa aplicação foi testada extensivamente para medir o nível de qualidade da sua implementação. O profiling ajudou em constatar que métricas fundamentais como o consumo de CPU e memória, pedidos de dados de rede e de consumo de energia (bateria) estavam dentro dos parâmetros aceitáveis. Além disso, uma equipa de cinco beta-testers contribuiu com comentários e sugestões de grande valor. Em última análise, o prazo de seis meses revelou-se insuficiente em relação ao lançamento da app na App Store. O Snapwish permanece numa fase beta avançada (no momento da escrita desta tese). Este atraso é principalmente atribuído a um extenso processo de testes. Assim, pretendemos lançar a aplicação no primeiro trimestre de 2017

A survey of app store analysis for software engineering

App Store Analysis studies information about applications obtained from app stores. App stores provide a wealth of information derived from users that would not exist had the applications been distributed via previous software deployment methods. App Store Analysis combines this non-technical information with technical information to learn trends and behaviours within these forms of software repositories. Findings from App Store Analysis have a direct and actionable impact on the software teams that develop software for app stores, and have led to techniques for requirements engineering, release planning, software design, security and testing. This survey describes and compares the areas of research that have been explored thus far, drawing out common aspects, trends and directions future research should take to address open problems and challenges

“And all the pieces matter...” Hybrid Testing Methods for Android App's Privacy Analysis

Smartphones have become inherent to the every day life of billions of people worldwide, and they are used to perform activities such as gaming, interacting with our peers or working. While extremely useful, smartphone apps also have drawbacks, as they can affect the security and privacy of users. Android devices hold a lot of personal data from users, including their social circles (e.g., contacts), usage patterns (e.g., app usage and visited websites) and their physical location. Like in most software products, Android apps often include third-party code (Software Development Kits or SDKs) to include functionality in the app without the need to develop it in-house. Android apps and third-party components embedded in them are often interested in accessing such data, as the online ecosystem is dominated by data-driven business models and revenue streams like advertising. The research community has developed many methods and techniques for analyzing the privacy and security risks of mobile apps, mostly relying on two techniques: static code analysis and dynamic runtime analysis. Static analysis analyzes the code and other resources of an app to detect potential app behaviors. While this makes static analysis easier to scale, it has other drawbacks such as missing app behaviors when developers obfuscate the app’s code to avoid scrutiny. Furthermore, since static analysis only shows potential app behavior, this needs to be confirmed as it can also report false positives due to dead or legacy code. Dynamic analysis analyzes the apps at runtime to provide actual evidence of their behavior. However, these techniques are harder to scale as they need to be run on an instrumented device to collect runtime data. Similarly, there is a need to stimulate the app, simulating real inputs to examine as many code-paths as possible. While there are some automatic techniques to generate synthetic inputs, they have been shown to be insufficient. In this thesis, we explore the benefits of combining static and dynamic analysis techniques to complement each other and reduce their limitations. While most previous work has often relied on using these techniques in isolation, we combine their strengths in different and novel ways that allow us to further study different privacy issues on the Android ecosystem. Namely, we demonstrate the potential of combining these complementary methods to study three inter-related issues: • A regulatory analysis of parental control apps. We use a novel methodology that relies on easy-to-scale static analysis techniques to pin-point potential privacy issues and violations of current legislation by Android apps and their embedded SDKs. We rely on the results from our static analysis to inform the way in which we manually exercise the apps, maximizing our ability to obtain real evidence of these misbehaviors. We study 46 publicly available apps and find instances of data collection and sharing without consent and insecure network transmissions containing personal data. We also see that these apps fail to properly disclose these practices in their privacy policy. • A security analysis of the unauthorized access to permission-protected data without user consent. We use a novel technique that combines the strengths of static and dynamic analysis, by first comparing the data sent by applications at runtime with the permissions granted to each app in order to find instances of potential unauthorized access to permission protected data. Once we have discovered the apps that are accessing personal data without permission, we statically analyze their code in order to discover covert- and side-channels used by apps and SDKs to circumvent the permission system. This methodology allows us to discover apps using the MAC address as a surrogate for location data, two SDKs using the external storage as a covert-channel to share unique identifiers and an app using picture metadata to gain unauthorized access to location data. • A novel SDK detection methodology that relies on obtaining signals observed both in the app’s code and static resources and during its runtime behavior. Then, we rely on a tree structure together with a confidence based system to accurately detect SDK presence without the need of any a priory knowledge and with the ability to discern whether a given SDK is part of legacy or dead code. We prove that this novel methodology can discover third-party SDKs with more accuracy than state-of-the-art tools both on a set of purpose-built ground-truth apps and on a dataset of 5k publicly available apps. With these three case studies, we are able to highlight the benefits of combining static and dynamic analysis techniques for the study of the privacy and security guarantees and risks of Android apps and third-party SDKs. The use of these techniques in isolation would not have allowed us to deeply investigate these privacy issues, as we would lack the ability to provide real evidence of potential breaches of legislation, to pin-point the specific way in which apps are leveraging cover and side channels to break Android’s permission system or we would be unable to adapt to an ever-changing ecosystem of Android third-party companies.The works presented in this thesis were partially funded within the framework of the following projects and grants: • European Union’s Horizon 2020 Innovation Action program (Grant Agreement No. 786741, SMOOTH Project and Grant Agreement No. 101021377, TRUST AWARE Project). • Spanish Government ODIO NºPID2019-111429RB-C21/PID2019-111429RBC22. • The Spanish Data Protection Agency (AEPD) • AppCensus Inc.This work has been supported by IMDEA Networks InstitutePrograma de Doctorado en Ingeniería Telemática por la Universidad Carlos III de MadridPresidente: Srdjan Matic.- Secretario: Guillermo Suárez-Tangil.- Vocal: Ben Stoc

On the Security and Privacy Challenges in Android-based Environments

In the last decade, we have faced the rise of mobile devices as a fundamental tool in our everyday life. Currently, there are above 6 billion smartphones, and 72% of them are Android devices. The functionalities of smartphones are enriched by mobile apps through which users can perform operations that in the past have been made possible only on desktop/laptop computing. Besides, users heavily rely on them for storing even the most sensitive information from a privacy point of view. However, apps often do not satisfy all minimum security requirements and can be targeted to indirectly attack other devices managed or connected to them (e.g., IoT nodes) that may perform sensitive operations such as health checks, control a smart car or open a smart lock. This thesis discusses some research activities carried out to enhance the security and privacy of mobile apps by i) proposing novel techniques to detect and mitigate security vulnerabilities and privacy issues, and ii) defining techniques devoted to the security evaluation of apps interacting with complex environments (e.g., mobile-IoT-Cloud). In the first part of this thesis, I focused on the security and privacy of Mobile Apps. Due to the widespread adoption of mobile apps, it is relatively straightforward for researchers or users to quickly retrieve the app that matches their tastes, as Google provides a reliable search engine. However, it is likewise almost impossible to select apps according to a security footprint (e.g., all apps that enforce SSL pinning). To overcome this limitation, I present APPregator, a platform that allows users to select apps according to a specific security footprint. This tool aims to implement state-of-the-art static and dynamic analysis techniques for mobile apps and provide security researchers and analysts with a tool that makes it possible to search for mobile applications under specific functional or security requirements. Regarding the security status of apps, I studied a particular context of mobile apps: hybrid apps composed of web technologies and native technologies (i.e., Java or Kotlin). In this context, I studied a vulnerability that affected only hybrid apps: the Frame Confusion. This vulnerability, despite being discovered several years ago, it is still very widespread. I proposed a methodology implemented in FCDroid that exploits static and dynamic analysis techniques to detect and trigger the vulnerability automatically. The results of an extensive analysis carried out through FCDroid on a set of the most downloaded apps from the Google Play Store prove that 6.63% (i.e., 1637/24675) of hybrid apps are potentially vulnerable to Frame Confusion. A side effect of the analysis I carried out through APPregator was suggesting that very few apps may have a privacy policy, despite Google Play Store imposes some strict rules about it and contained in the Google Play Privacy Guidelines. To empirically verify if that was the case, I proposed a methodology based on the combination of static analysis, dynamic analysis, and machine learning techniques. The proposed methodology verifies whether each app contains a privacy policy compliant with the Google Play Privacy Guidelines, and if the app accesses privacy-sensitive information only upon the acceptance of the policy by the user. I then implemented the methodology in a tool, 3PDroid, and evaluated a number of recent and most downloaded Android apps in the Google Play Store. Experimental results suggest that over 95% of apps access sensitive user privacy information, but only a negligible subset of it (~ 1%) fully complies with the Google Play Privacy Guidelines. Furthermore, the obtained results have also suggested that the user privacy could be put at risk by mobile apps that keep collecting a plethora of information regarding the user's and the device behavior by relying on third-party analytics libraries. However, collecting and using such data raised several privacy concerns, mainly because the end-user - i.e., the actual data owner - is out of the loop in this collection process. The existing privacy-enhanced solutions that emerged in the last years follow an ``all or nothing" approach, leaving to the user the sole option to accept or completely deny access to privacy-related data. To overcome the current state-of-the-art limitations, I proposed a data anonymization methodology, called MobHide, that provides a compromise between the usefulness and privacy of the data collected and gives the user complete control over the sharing process. For evaluating the methodology, I implemented it in a prototype called HideDroid and tested it on 4500 most-used Android apps of the Google Play Store between November 2020 and January 2021. In the second part of this thesis, I extended privacy and security considerations outside the boundary of the single mobile device. In particular, I focused on two scenarios. The first is composed of an IoT device and a mobile app that have a fruitful integration to resolve and perform specific actions. From a security standpoint, this leads to a novel and unprecedented attack surface. To deal with such threats, applying state-of-the-art security analysis techniques on each paradigm can be insufficient. I claimed that novel analysis methodologies able to systematically analyze the ecosystem as a whole must be put forward. To this aim, I introduced the idea of APPIoTTe, a novel approach to the security testing of Mobile-IoT hybrid ecosystems, as well as some notes on its implementation working on Android (Mobile) and Android Things (IoT) applications. The second scenario is composed of an IoT device widespread in the Smart Home environment: the Smart Speaker. Smart speakers are used to retrieving information, interacting with other devices, and commanding various IoT nodes. To this aim, smart speakers typically take advantage of cloud architectures: vocal commands of the user are sampled, sent through the Internet to be processed, and transmitted back for local execution, e.g., to activate an IoT device. Unfortunately, even if privacy and security are enforced through state-of-the-art encryption mechanisms, the features of the encrypted traffic, such as the throughput, the size of protocol data units, or the IP addresses, can leak critical information about the users' habits. In this perspective, I showcase this kind of risk by exploiting machine learning techniques to develop black-box models to classify traffic and implement privacy leaking attacks automatically